Review: Virtual Privacy Machine

The Tor Desktop Virtual Privacy Machine is a USB JumpDrive preloaded with a complete Linux OS and a roster of useful applications. Plug it into a Windows or Linux machine and launch a virtual Linux desktop that routes all network traffic through multiple network proxies using the Tor network. This provides a totally secure way to access your data, even when using an internet cafe PC or an untrusted network. The VPM is a 128 MB Lexar JumpDrive USB key with a system installed on it based on Damn Small Linux/Knoppix and the Qemu processor emulator. It also contains all of the basic applications that a desktop user might need, like web browsing, email, IM, FTP, document viewing and editing, sound and video, and various system utilities. There’s enough room left on the drive to save bookmarks, settings, and small personal files.

I tested the VPM on a relatively cheapo 3 Ghz Pentium 4 with 512 MB Ram running Windows XP SP2: something similar to what you might find in a newer cybercafe. It can be used as a virtual desktop on either Windows or Linux, but I only tested it on Windows. I plugged it into my Mac with the idea that I might run it in VirtualPC just for kicks, but while I was waiting for VPC to launch, I decided that it was insane. (There’s a PPC-emulating version of Qemu in the works which could theoretically be used to run a slimmed down version of PPC Linux, but that would be a pretty big project)

To get started, just plug the USB drive into an available USB port (I used the one in my keyboard) and wait for the drive to mount. When it does, there are three files available: a very short readme, a DOS batch file to launch the Windows version and a shell script to launch the Linux version. There’s no installation of anything and no rebooting of the machine necessary. On my machine, it took one minute and twenty seconds for the system to boot up.

The system booted to an aesthetically pleasing Fluxbox-based desktop with a dark, Mordor-esque background picture and five big buttons across the top for Shell, Email (Sylpheed), Web (Firefox), IRC (X-Chat), and Messaging (Ayttm). All other functions are accessed through a right click. Forget all of the typical complaints about Linux on the desktop, with its too many options for everything. Space constraints have made this desktop very trim and quite intuitive, even elegant.

There is one linux-on-the-desktop complaint frequently trotted out by forum trolls that certainly applies to this experience: speed. With a combination of system performance affected by Qemu’s performance overhead and the network performance hit due to routing all traffic through TOR proxies, overall performance is a bit sluggish. It takes eighteen seconds from clicking on the Firefox icon to get Firefox loaded and the default Google homepage loaded up. It takes about five seconds to receive the results of a query on Google. It took about fifteen seconds for OSNews to load up completely. On the other hand, less network-intensive tasks like IM don’t really show off the slowdown. In a lot of ways, it felt like using an older, slower computer on a dial-up network connection. The bottom line is, if you want the privacy and security, there’s a price to pay, and that price is sluggish performance. I was happy to see that the performance hit wasn’t as severe as it has been on anonymous proxy servers that I’ve used in the past, though.

One thing that’s fun about the VPM is that you can see which country your proxy server is in by using the default Google page in Firefox. Google variously pegged me as being in Sweden, Canada, Greece, Germany, and the US (or unknown). I’ll start to worry when Google starts giving me results in Bork, Bork, Bork, Elmer Fudd, or Pig Latin.

Problems

In addition to the aforementioned speed issue, which was completely expected and not nearly as bad as it could be, I ran across a couple of problems, especially when I put my newbie hat on and approached the VPM as a regular, non-Linux-savvy computer user.

It wasn’t completely intuitive that “Xvesa” is the utility to change the screen resolution from the default 800×600 to a more sane 1024×768 or 1280×1024, but once I did it, the resolution change was painless. There are a couple of other Linuxy issues that a Windows user would find a little baffling. Setting up printing is not for the faint of heart, for example, and several other of the items in the control panel would be a bit cryptic. For most of them, if you don’t know what they do, you can just leave them alone (like Ndiswrapper or lwconfig), but when you’re searching for a way to change resolution or change other aspects of the default setup, it may take a bit of poking around if you’re not familiar with Linux.

As I mentioned before, that cute guess-my-location-and-language game that Google plays with you is fun at first, but it’s also an issue could become annoying when you’re trying to get real work done. You can set your cookie for Google, of course, but you should be prepared to occasionally see large portal sites displaying in languages you don’t understand. That’s just one of the quirks that you have to deal with if you want effective anonymity.

Several times during my browsing I came across an error page stating: “Privoxy error” where the proxy servers weren’t able to connect to the sites I was requesting, and I had to reload a couple of times before they came up. Again, one of the prices of anonymity.

The final quirk I discovered was the most annoying. Apparently, the system will not store the resolution change, so when I quit and re-launch VPM, it re-sets back to 800×600. I’m sure someone with more expertise than I could easily change the default to whatever they wanted, so this would cease to be an issue. Perhaps a tutorial on the web site is in order? Also, I noticed that various times during my messing around the system would fail to save the settings that I had changed, like Firefox bookmarks and settings, and once even an mp3 file that I had downloaded disappeared. This is due to the fact that when you shut down it saves your changes from RAM to the USB drive. (You can’t be saving stuff constantly to these flash drives because they only have a finite number of saves in them). Always make sure you shut down properly, or you’ll lose data. That’s always a possibility with any system, but with this one, it’s a certainty.

Conclusion

The Tor Desktop VPM costs $45 with free worldwide shipping. A blank 128 MB USB pen drive costs as little as $15 today, so you’re paying about $30 for the convenience of having all of this software installed and configured for you. Since I don’t know of very many people who need this kind of security whose time isn’t relatively valuable, I’m going to rate this product a bargain. If you’re interested in this mostly as a hobbyist exercise, then you’d certainly have fun making one on your own and customizing it to your heart’s content, but if you have a pressing need for this kind of security, then the Virtual Privacy Machine is a great option.

In conclusion, the Tor Desktop Virtual Privacy Machine is a well-executed assemblage of various Free Software tools and a useful service, priced fairly, and delivered in a small, convenient package. It’s suitable for use by anyone who uses public or insecure resources to access the internet and those who just want to keep their online activities private, such as cybercafe users, people whose bosses are likely to snoop on them at work, political activists (or just regular thinking people in repressive countries), people cheating on their spouses online, spies, crackers, OSNews trolls, and other mischief makers. Even minimally computer savvy people should have little problem using it, even though there are a couple of Linux and proxy-related quirks that might be a minor annoyance. It’s an excellent example of a quality purpose-specific device that can be made from freely-available software.

About The Author

28 Comments

There was a similar thing called Metropipe that came out a good number of months ago. They had a free download of their linux distro a while back (based off of DSL), and was still useable around a month, month and a half ago. I put it on my Linux install with an updated version of QEMU and the KQEMU accelerator – much better with KQEMU Important thing was to edit the .bat launcher to use more ram.

Won’t the plain-jane transmission have to be sent through my wifi AP, or will it be encrypted before it even hits the airwaves?

2005-07-12 5:12 pm

How does this stop key stroke loggers, screen grabbers, etc. from working? It isn’t booting into Linux, it’s just running a virtual machine on the (potentially spyware infested) untrusted machine.

2005-07-12 5:12 pm

You must always assume that any public workstation (especially internet cafes and libraries) has keystoke logging software installed. This isn’t a good idea for secure connections in anyway. (Also the data goes throught tor proxies. Do you trust them too?)

DSL rocks! I usually just download the embedded version and run that from Windows and try it that way. It’s probbably not secure this way, but for me it works fine. If this runs on a 128 stick, imagine what I can do with the extra space on my 1 gig stick

You are correct in punching holes in my Cybercafe scenario. If you’re on an untrusted computer, a keystroke logger or screen grabber would be a potential weak spot. And “totally secure” is probably too strong a term to use when describing anything computer-related.

2005-07-12 6:17 pm

in the local public library in my hometown a user can not get access to the public computer’s perifrials, all you can access is mouse & keyboard and monitor…

Tor isn’t about securing your data, it’s about making sure not one single proxy (or eavesdropper) is able to trace it back to your specific IP address. The packets are still perfectly readable on both the tor nodes and beyond the exit points. If you need to also protect the contents of the packets, use end to end encryption.

Either way, it’s virtually impossible (or should be anyway) to both trace a single data stream and to capture enough of it to make sense from it. Single packets, or even a couple in a row don’t pose much of a threat unless your password happens to be in them in cleartext..in which case you did something wrong anyway.

Either way, the EFF can explain it a lot better than I can, so please read http://tor.eff.org/ for more information on tor and how it works. And please do use SSL for everything you do 🙂

2005-07-12 6:45 pm

Good review David, I’ll deffo be looking at something similair.

Thom

2005-07-12 7:01 pm

DSL indeed rocks but the writer of this review is an asshole. Calling people who simply point out problems like speed “trolls” is an insult AND incorrect. A troll is someone who shows up, makes a comment to stir the pot and LEAVES. That is extremely different than people discussing pros and cons. Once I got to that paragraph with that comment I shut the rest of it out and didn’t need to read anymore, he or she obviously needs to take some college level writing classes before doing anymore “reviews”.

It just goes to show that if you try to be lighthearted, some thin-skinned know-it-all is going to get all offended. I didn’t say that *only* trolls complain about Linux’s speed. I said that trolls complain about Linux’s speed.

It’s funny how you “didn’t need to read anymore” once you read one thing that rubbed you the wrong way. Sounds like you’re someone who needs to take a college-level reading class.

You don’t win any points in an argument by admitting that you didn’t read the material, and if you admit to us that your sensibilities are so offended by a little lighthearted comment, it really doesn’t give anyone any reason to pay your arguments much attention at all. Not to mention slinging insults. What makes me an asshole? I didn’t call anyone names and I didn’t insult anyone’s education. That was you.

Let’s take a survey from the readers. Who’s the asshole?

I’m not sure what part of my review you found that gave you the impression that I needed some more writing education, because you didn’t give any support to that claim, other than my perhaps-too-weak sense of humor. Or are you just showing up, making a comment to stir the pot and LEAVING?

I have no beef with the review – I think it was good for such an unbelievably bad product.

Linux on the net today is like what search engines/directories were back in 96 – linux is everywhere and people are customizing it to such extents where you’ve got at least 500 distributions available. Now why someone would pay $45 for this product is beyond me. The makes obviously wants to make some dough, but why should we (the users) buy this?

It does not offer protection against key logging, it does not boot from the flash drive, and it offers no guarantee that it will be usable when the admins of the computer disable the USB ports not to mention that there could be free alternatives out there.

2005-07-12 8:01 pm

I agree it was a decent review. I do not see what justifies the price, from what I can gather the jump drive is not included in the $45.00 price. The only thing that makes this any different than other live distro’s is the novelty of TOR coupled with privoxy, which are both very easy to setup and are lightweight anyway.

The $45 INCLUDES the JumpDrive. The review just mentions that if you were to buy it yourself it would cost $15. So you are really paying $30 for the convenience of having it done for you and shipping costs.

2005-07-12 8:23 pm

If you’re worried about keylogging then couldn’t you just install an onscreen keyboard program on the virtual machine? You could just use it when typing passwords or sensitive e-mails or whatever. As for packet sniffing, you should already be using encryption for anything you wouldn’t want seen (like e-mail) so that seems like it’d be a fairly useful produce so long as you have access to a USB port. Of course, if the contents of the virtual RAM found their way into the paging file that could be a problem, as would an admin using VNC or a video recorder on the monitor to watch the screen, so it’s not for the uber-paranoid. It does, however, seem like a decent solution for the porn-seeking student or minor activists in repressive societies though.

I forgot to mention that all in all it was a decent review of an interesting product. Of course the whole idea of booting a linux VM from an USB key just to use tor is a bit over the top. I can imagine a couple of other mechanisms which could be used to achieve the same effect, but without forcing users to change to using a linux VM. And $40 for such a device, well, you can argue about price, but IMO it’s not that much for something which has obviously cost a lot of effort to put together.

Anyway, this review is a nice change from all the news bites and the inflamatory editorials 🙂

A nice progression from the livecd distro. But it need to go further by for example integrating with the home host (if linux) and allow the reconciliation of some documents and some apps configs.

But 512MB would be a lot more appropriate for that matter and still pretty cheap.

2005-07-12 10:06 pm

If you know about Tor, you know there are a two main weaknesses. Application leaks and DNS leaks. Tor Desktop solves both of these problems.

An application leak is when a client connects to a server and sends information that can identify the client. Most important to protect is the LOCAL IP address. If you’re on a LAN it will be some private address such as 192.168.1.100, but if you are directly connected to the internet your LOCAL IP address is your real IP address and you don’t want that leaking out to the internet. If you boot directly from USB then it is possible you are using your real IP address. However, by running inside of Qemu, it provides a virtual IP address in the 10.*.*.* range. Any applications that run will only know about this address and this address is safe to leak.

DNS leaks are more simple. This is when you resolve a domain name to an IP address directly without proxying it. If you send DNS queries directly then it is obvious to eavesdroppers what addresses you are interested in. Tor Desktop overcomes this with a DNS server that routes all queries through Tor using Tor’s resolve protocol.

2005-07-12 11:13 pm

Anything you do through Tor can be spied upon by the proxy at the end of the chain. They won’t be able to tell *who* requested the information, but they can read it. This means that it is a dangerous idea for you to use Tor to access sites that require passwords like your webmail/pop3/imap/telnet. You just have to trust that the last proxy in the chain is run by an honest person.

It would be safer to use something like SSH over Tor, where the password is not sent as plaintext.

Just like in Mother Russia, when the Communists moved in, we had to develop a thriving underground economy to serve the interests of the people.

Now that the industrio-socialists have seized America, well, it is good that the TOR is there. It is a beginning.

When all of an American’s tax dollars go to the mighty war machine and to the bankers, there must be a way for people to get bread and vodka.

Bravo, EFF for making TOR.

2005-07-13 2:21 am

Metropipe has something called the “Portable Virtual Privacy Machine” (likely the same thing as this uses) available as a free download at their website. It does use a demo of the “Metropipe Tunneler” though, rather than normal ol’ Tor, but I’m sure there’s a way to install the more desirable option.

Why dont they just include a thumbprint reader on the USB and no need to type the password at all

2005-07-14 2:46 pm

as long as the USB thumbprint reader only creates a one time secret that would be fine for me

2005-07-13 7:48 pm

I thought it was a GREAT concept – so great I bought one. (where I live, a 128 Jumpdrive would have cost $30 US by itself) and Tor isn’t the easiest thing to set up -especially for someone as “geek-challenged” as I. It works pretty much like the reviewer said – of course, when “running” it on a PII 400, which is well above the requirements for DSL, it was more like crawling, as the host system used most of the resources before QEMU even loaded. Then I found ELE (“Everything Leaves Encrypted”) http://www.northernsecurity.net/download/ele/ which is essentially the same idea – except it has a virtual keyboard (for the keylogger moments), is a free download, and burns to a bootable ISO or USB Stick and which doesn’t seem to suffer from “DNS leaks”

I still think it’s a great concept, and I believe in supporting the F/LOSS community – but while Virtual Privacy Machines doesn’t offer a refund on their product, ELE doesn’t need one.